Skip to content

Alternative Syntax Material

Alternative Paths

With modern frameworks and applications, the same information is often to be available at multiple locations. Therefore, if an administrator is blocking a specific path, it might be accessible elsewhere. The framework might have a combination of HTML pages, REST api, WebSocket API and a GraphQL API.

As an example, many cloud hosting providers try to enforce some additional hardening to WordPress instances. One possible reasons is that it represent the most used applications and because it is also a common target from attacker. Doing a survey of multiples thousands of Wordpress deployment locations, most high-profile Wordpress websites had attempted to disable the user enumeration but in most cases, the enumeration was still possible thanks to lesser-known entry points.

Here are four different URL/paths that will return users' details including its email.

  • https://target.blog/wp-json/wp/v2/users
  • https://target.blog/?author=1
  • https://target.blog/?rest_route=/wp/v2/users
  • https://public-api.wordpress.com/rest/v1.1/sites/target.blog/posts

Source: 6 ways to enumerate WordPress Users

Alternative HTML Tags

If developers have manually chosen a list of HTML tags to forbid. They will likely have forgotten HTML tags that can be used. The same strategy will apply if we are trying to see the edge case from an HTML sanitizer.

For an exhaustive list of HTML tags and HTML attributes refer to the project DOMPurify. This project is actively updated when new elements are added to the standard or when new behaviors are found.

<svg/onload=prompt(/OPENBUGBOUNTY/)>

Cloudflare XSS Bypass by Bohdan Korzhynskyi 

<video onnull=null onmouseover=confirm(1)>

Akamai WAF Bypass (2018) found by @s0md3v: 

<dETAILS
open
onToGgle
=
a=prompt,a() x>

Alternative Keywords

In order to protect against SQL injection, WAF will detect metadata table names. These are unlikely to be passed by a user unless the website is a forum on SQL. Instead of targeting the DBMS typical metadata tables (information_schema.tables, all_tables, sys.sysobjects), you can use table names that are less commonly known.

When you have a good idea of the language used by the application, you can search for potential statistic tables or ORM metadata tables.

MySQL alternatives to tables (information_schema.tables):

  • information_schema.partitions
  • information_schema.statistics
  • information_schema.key_column_usage
  • information_schema.table_constraints
  • mysql.innodb_table_stats

Entity Framework 6.0 / .NET specific tables:

  • dbo.__MigrationHistory
  • AspNetUsers

Entity Framework Core

The Entity Framework Core library no longer includes the Model column which contained the model in a GZIP Hex encoded formated. (Entity Framework 6.0 and below only)

Oracle alternatives to all_tables:

  • ALL_TAB_STATISTICS
  • ALL_TAB_STATS_HISTORY
  • ALL_TAB_STAT_PREFS
  • ALL_TAB_MODIFICATIONS
  • ...